MONTRÉAL - The workings of bot nets will become more difficult to divine in the future, because the people who control the networks are moving away from using Internet relay chat (IRC) rooms to link the compromised computers together, a security researcher told attendees at the Virus Bulletin 2006 conference.

José Nazario, a senior security researcher for Arbor Networks, spent more than six months delving into the chat rooms typically used by bot herders as the central command posts for their compromised networks. The research, which was part of a project dubbed "Bladerunner," used a mock bot that Nazario and an intern at Arbor coded using Python.

The researchers found that the command and control channels are increasingly becoming encrypted and are increasing moving away from chat rooms to Web servers.

"As HTTP bot nets become more popular, we're having more difficulty in tracking them," Nazario said in an interview after his presentation.

While a number of bot herders have been arrested this year, most of the people managing bot nets are not worried about prosecution, Nazario said. One bot herder from Italy even taunted the researchers.

Arbor research found that bot nets are typically short-lived--less than a third last more than a day. Most ISPs quickly take down the offending IRC servers. While the bot clients are compromised Windows computers, the command and control servers are most often--about 85 percent of the time--Linux or Unix machines, the researchers found.

About half the bot nets tracked by Arbor were used to attack sites, or other herders, with distributed denial-of-service (DDoS) attacks. The majority of bot herders are not technical, and may even not know much about IRC, but act more as project managers, Nazario said.

CORRECTION: The original article cited the wrong language for the mock bot software; it was written in Python.